To successfully audit the SAP R/3 system, the auditor needs to have an appropriate level of access in the SAP system. As a basic rule of auditing, SAP auditors should have display access authorization to the various functions / transaction codes within SAP. Auditors normally receive display access to the production client in SAP. This enables the auditor's to browse through live data in the system with view access.

In some cases, where an auditor is required to check the SAP system configuration or configurable controls in SAP, auditors may request access to the test SAP environment. This is done so that auditors can pass test or dummy entries in SAP R/3 to test the system logic and how transactions are processed. In no case should the auditor have modify / change access to the production client in SAP. This may have legal consequences which may have an adverse impact on the engagement. I would also suggest getting a express letter from the management which outlines the access authorization in SAP R/3.

As such SAP provides certain standard display authorizations which the auditor can request.

F_ANZ - This is the display authorization for the financial module
A_ANZ - This is the display authorization for Fixed Assets
M_ANZ - Display authorizations for material and logistics operations
S_A_SHOW - Display for SAP BASIS transactions.

Related Posts

Correction & Transport System in SAP , Authorization Concept in SAP , SAP Number Ranges